saugus. >> 23 years and over hundred 40 c-span appearances later were joined by douglas brinkley. this year of the c-span bus as we set out to visit the state capitals, we thank you for that idea. >> i reminded me of how invaluable the c-span archivists that you can go back and pull up these interviews that c-span has done over the sears, now they are tools for historians if you want to interview someone, or do a paper and need a primary source you can tap into that c-span archive and get real quotes for your paper. congratulations on keeping the archive intact. >> for the past 30 years, the video library is your free resource for politics, congress, and washington public affairs. whether it happen 30 years ago or 30 minutes ago, find it in

c-span's video library at c-span.org. where history unfolds daily. >> next security in a change commission testifies before the senate banking committee. they face questions on the data breach that may have made confidential companies vulnerable. it also focused on the recent data breach of equifax, credit reporting for which impacted an estimated 143 million americans. this is about two hours. >> today we will receive testimony from the securities

exchange chairman jay clayton regarding the work and the agenda of the fcc. we thank you mr. chairman for attending today. oversight of the fcc is a critical function of this committee. the fcc has an important three-part mission. to protect investors, maintain fair, orderly and efficient markets and facilitate capital formation. no one part of this mission is important than the other. they increase transparency and trust in the u.s. stock market providing investors with material information they need to make informed decisions. that helps investors participate on a fair footing. so they can prepare for milestones in their lives such as college, retirement or other life-changing events. it's critical they continue their important work to fulfill this mission. at the same time they must be cognizant that it could carry risk to the very markets they seek to help. i commend you for doing an

assessment of the risk profile. the commission collects and restores public and nonpublic data. if this were subject to a cyber breach it could have severe consequences to the markets, the participants in the public. i was disturbed to learn that it suffered a cyber breach of its system in 2016 but did not notify the public words commissioners until it was discovered during a recent review. it's critical the fcc safeguards the data collects and maintains. especially as the consolidated audit trail becomes operational. through the cap the fcc will have access to significant nonpublic data and personally identifiable information including names addresses, dates of birth and social security numbers. the recent equifax pre-has highlighted the need to protect

this information. we need to ensure that entities only collect this information if and when necessary and if it is collected that it is properly secured. i'm glad to see that under your leadership they're taking cyber security seriously. other regulators and agencies should follow their lead and limited delineate their own cyber risk profiles. if breached they should disclose such problems to the public and to congress. both regulators and companies. as a part of your work in the cyber security area you should review current cyber risk guidance to ensure investors understand the magnitude and complexity. along with your attention to cyber i appreciate your focus on the standards of conduct for investment advisors and broker-dealers.

the rule will limit investor choice make investing more expensive for more americans and heard the ability for people to save for retirement. of clarification needs to be made i believe the fcc has the most expertise and is the best position to establish consistent standards for all of yours. i appreciate your focus on the importance of encouraging capital formation. the capital markets are essential to helping companies grow and ensuring's that americans have investment opportunities. i'm interested in hearing your ideas of how we can encourage more to go public. the senate recently passed several bipartisan security bills and we would be interested in additional ways that congress can improve security loss. i look forward of hearing your thoughts on these issues in the

future of the commission. >> thank you and welcome to our committee. last week just about every adult in america was trying to comprehend the risks that they are someone in the family faces because of equifax cyber breach disclose their own breach in 2016. in addition to raising concern about the integrity of their data system, it allowed hackers to obtain nonpublic information and perhaps make illegal stock trades. we expect the companies that hold that will keep that information secure and be upfront with the public about regulators when breaches occur. regulatory agencies must by the same or a higher standard. a year after the fact the fcc had its own breach likely it led to illegal stock trade and it

raises questions about why this seems to have swept it under the rug. what are we not being told what information is at risk it what are the consequences to the american public generally. this breach took place in our predecessor we recognize that. the disclosure or the lack thereof is all yours. investors expect to have confidence and hold big companies accountable when the fcc is not immediately forthcoming. equifax violated the public's trust choice first when it failed to secure the volumes of data it collects and profits from about america's financial lives in the second time when it waited over one month when it did a breach. how do you expect companies to do the right thing when your agencies have not.

we after in the public's trust every day. right now they need to make sure companies that it regulates that they do better. doing more doesn't end was cyber security. mandate has never been more important making sure main street investors are treated fairly and companies do not abuse accounting rules the market should be at the top of your list at the fcc as you consider offering reforms reducing disclosure. protecting investors also mean that they need to finish the dodd frank title. the incentive compensation role, each of these rulemaking will help enhance investors in the public's trust in our markets and the financial system. chairman has been five months since your swearing in. i expect the next five months will be more demanding than last

five. responsibilities grow and people are watching about how you personally is chairman hold companies accountable. thank you. >> thank you. as you know your full written testimony has been made a part of the record. i understand the best for next room minute in your opening statement and you are welcome to have that. i do not want the senators to think everyone is being granted in a minute. i encourage them to remember the time. with that please proceed. >> thank you for your indulgence. chairman, ranking member and establish members of the committee thank you for the opportunity to testify before you today about the work of the u.s. securities exchange commission. try to be concise as i know you and the american people have many important questions regarding among other things are cyber risk profile and the intrusion we discussed last week. we'll start with a thank you.

my fellow commissioners and the people of the agency have been welcoming. i have benefited from each interaction with these individuals. through my time at the commission i've devoted a substantial proportion to agency operations including assessing whether we have the people, technology and office space necessary. discussed in more detail i believe there for areas where additional focus and resources are needed. cyber security, retail investor protection, market integrity including market structure and capital formation. specifically with regard to cyber security i've been focused on this, as recent events demonstrate all too well this is an area we need to devote significant resource and attention to respond to market developments and meet the expectations of the american people.

in august 2017 in connection with an ongoing investigation i was notified of a possible intrusion into her anger system. in response i commenced an internal review. through the review and the ongoing investigation carson formed the 2016 intrusion provided access to the egger filing information and may have provided the basis for illicit gain through trading. we believed it involved the defect of custom software in our egger system. our office of took steps to remediate the defect and reported the incident to the department of homeland security. based on the investigation today. the prior mediation effort was successful. we believe the intrusion did not result in unauthorized access to

unidentifiable operation resulted in systemic risk. a review of these is ongoing and it might take substantial time to complete. this is to related components. the first in the 2016 inclusion itself including efforts to determine its scope and whether there were or alter any of vulnerabilities in the system. conducting this review -- egger is a critical component of our disclose or base market system and accepts filings continuously during the week. various agency personnel including members of the enforcement division, the office of inspector general have been involved in this effort. i have formally requested that the office of inspector general

begin a review into what led to this, the scope of nonpublic information compromise and our efforts in response. i've asked the office to provide recommendations of how it should remediate any system or control deficiencies. the second component is about trading. the investigation is being conducted by her division of enforcement and is ongoing. through limits on what i know and can discuss due to the status and nature of these reviews nevertheless, this past wednesday i directed the issuance of a cyber risk profile statement in the press release highlighting the intrusion. i directed this because although many questions remain i believe that once i knew enough to understand the intrusion provided access to test filings and it resulted in misuse of public information is important

to make that exposure to the american people in congress. the matter involving the egger system concerns me. i recognize i'm not the only one deeply concerned. it will cause this committee and others to increase weather the approach to cyber security appropriately addresses our risk profile. this is why was appropriate to disclose it now even though our reviews ongoing. as a result, some have questioned if we can protect the sensitive information we receive and if we should receive further data. this is not the time for the fcc to pull back by limiting access. this too important to mainstream investors to do so. we must be vigilant and we must do better. we must also recognize in both public and private sectors there

will be intrusions and a key component of market participants general resilience of recovery. turning to policy matters my testimony talks about recent regulatory efforts in detail. i will highlight the upcoming act. a semiannual disclosure of the priorities. it's important these agendas provide transparency and accountability for agency matters. there to meet their purpose these agendas must be streamlined to inform congress, investors and other parties about what we intend to do and expect to do over the coming year. thank you, and thank you for your indulgence on this for time. >> thank you very much. first, i have been concerned with the growing data collection

requirements by regulators. i'm concerned about the massive data collection going on in the private sector, information about people's lives that can enhance resulted in damage to them. my concerns have grown giving the cyber breaches at the irs, the opm, your commission and other agencies. i've mentioned times the consumer financial protection bureau that i'm very concerned. in addition, the fcc has come under scrutiny in recent reports for its own security controls over key systems. the fcc and other agencies moderate, regulate and enforce data safeguards in place. given the amount of data they collect and the roles they play as stewards of our markets, the fcc and other agencies must be held to us higher standard.

a couple questions about the current cyber attack that you're dealing with, can you give us information about the defect in the software that cause this attackers is not the time to discuss this? >> i do not have more information about the type of defect that led to the intrusion. there is an ongoing investigation in the office of inspector general is involved. as relevant facts become available we intend to work with this committee to ensure you have the information you need. >> you said this in your testimony but what actions did you take as he found out about the breach? >> it's like you find out about a region you know everything on day one. this came to my attention in august of this year. i immediately instructed the investigation take place.

over the course of that investigation it became clear this was a serious matter. it became clear i made the determination to make take a number of steps including ensuring the system was working. is a system that's critical to the operation of our markets in the fcc. also, disclosure. i know it's a focus of this committee. i decided that the disclosure was necessary. then the question is, what faxed you have, we tried to gather more facts, and make a clear disclosure not one that's misleading. i made the decision over the past weekend that the time had come to make the disclosure. we are not to learn more and we made the disclosure. we've taken a number of steps including hiring outside consultants to do penetration

testing, and reviews, one of the worries is when you make a public disclosure other people try to test and probe. we are under constant attack from the various actors. i can go throw the things but that's a high level of things that have been taken. >> the consolidated audit trail is an issue that's been important to me and members of the committee for a number of years. once implemented it will capture order event information from the time of the order through execution. will have a personally identifiable information. i'm concerned about that, do you believe this data must be collected, and if so how can it be adequately protected? >> i do believe that data of the type were collecting is valuable

to our oversight role. if you look at oversight training, broker-dealers, this type of data enables us to detect things we have not been able to in the past. it's important, that said, when i got to the commission and investigated the cat system as a person responsible for as opposed to someone on the outside i made the decision that we do not want to take sensitive data that we do not need to further our mission. we also should not take sensitive data unless we can protect it. i felt that way several months ago and even more so today. >> thank you. >> on aquifer facts we know waited six weeks to discuss disclose it cyber breach,

243 million americans were in the hands of criminals. companies will often say if it doesn't have a material impact on the financial results they don't need to disclose it. >> i believe that reality is the core of our disclosure system. going to your question about whether companies are making the right assessment, i think that's a very good question. >> so when it's left in the hands of the company with fcc from that response, it doesn't seem disengaged in this question issue and they may continue this kind of behavior.

>> company should be disclosing more. i'm not going to talk about a specific company or set of circumstances, that's an appropriate for my position. as i look across the landscape of disclosure and i've been saying this, they should be providing better disclosure about the risk profile, sooner disclosure about intrusions that may affect investor decisions. across the landscape of the markets not just company by company there should be better disclosure for the cyber risk we face. >> so you would disagree with activex decision to withhold that information for several weeks? >> i'm not going to get into a particular company's decision or nondecision.

>> you can't say that aquifer facts wasn't wrong in withholding misinformation? irrespective of the executives, you can't say that they were wrong withholding that information? >> it would be wrong to comment on that. let me say this about making the decision went to disclose, we expect people to constantly assess when they have notice of a cyber breach we expect them to assess whether that is material to investors and when they determined it is, make appropriate disclosure promptly. >> that's a big concern, if a company did what they did in the chair the fcc is not willing to be critical of that, that's a concern to many of us. this morning they announced the ceo is retiring, two weeks ago the cio and chief security officer retire.

you think it's appropriate for the executives who ran the company during the massive breach that they get to retire and keep their bonuses and stocks? >> that's a specific matter that might come before the mission to make decisions. it would be inappropriate comment on that matter, do i believe that if exact executives have profited from a high stock price as a result of failure to disclose, other acts that are clearly violations of our securities laws the ability to get backpacking, yes i do. >> any think the clawback should be ordered by the fcc, not relying on the board as wells fargo apparently day? >> there's a pending rulemaking were looking at that.

>> no one. >> one of many mandates. i intend to finish the mandate. i will be very open with this committee and the american people about our priorities and i welcome your input on how we prioritize those. >> and you understand the american public in case after case feels this government let it down when executives through massive in confidence which may have been all was with the facts or fraud is a failure to disclose kitchen needed to the executives dumping their stock. to understand the anger forget anybody going to prison, get that but not even clawbacks for these executives, to understand the public's outrage about that. >> yes i do,. >> thank you and thank you for being here this morning.

i once had to answer to the fcc is a financial representative was never fun to have you walk into the office and share your time with us in the business. however it's important to recognize that the fiduciary rule has had a negative impact on many americans, the average south carolinian has less than one year salary and their retirement accounts. restricting access to professionals in the financial industry has a negative impact on the resources available to the average american for retirement. blessing we need to do is find ways to get experts out of the household which is the unintended consequence. there is a survey of 600 financial advisors who found that 75% of the professionals

starting assets under $25000 will take on fewer small accounts do to increase compliance costs and legal risk under the dol rule. these folks desperately need the experts to make good, sound financial decisions. i was pleased to see the two-month delay, so my question is, the more to tell us about your coordination with the dol on the judiciary rule? >> i want to thank secretary costa for reaching out in this regard. reaching out to say that we should work together on this and i believe we should. steps we have taken, i've issued a request for updated views from investors and from industry participants on the effect of the dol rule and what we should

do going forward. we are reviewing the information received, i have made it clear that based on what i know today there are couple of things i want to make sure i reflect in any joint rulemaking including state regulators. first investors of the type you describe have choice, they're not pushed into a narrow set of circumstances as a result of whatever steps we take. second, there's clarity. they know the person they're dealing with and the obligations owed to them. third, there is consistency. if you have two types of accounts but facing the same person, there are to be consistency with respect to that accounts. and last, coordination. we at the dol are state

coordinated were courtney did on how we work with us. >> thank you it's good to have the fcc and dol working together. state insurance regulators are the experts on fixed-income annuities. how would you be involved? >> i have been in dialogue with the state regulators since i got on the job. they will be part of this effort. >> thank you. two more points, one on the chicago stock exchange, the fact that we're looking at chinese investors trying to buy the chicago stock exchange and you pumping the brakes i think is good, we would like to encourage more that but to do that in the most responsible way possible. another issue that's important shareholder re- submissions.

management of public companies should be held accountable by the shareholders. balance between both sides ensures productivity and corporate transparency. i wonder if the scales have a benefit tipped too far. we allow for resubmission of proposals even if nearly 90% of shareholders have already voted no in the past. all the while it does little to protect investors. our other shareholders impacted by such a low bar for proposal of resubmission? this is an area we should be examining. shareholder access to management is important. there's many times where shareholders may proposals that have led to positive change. you identified an issue that you can have not widely held idiosyncratic views of a few shareholders across the other

ones a substantial amount of time and management valuable time that you don't get back. we need to look at that balance and the oversight role. >> thank you. >> on a topic that senator scotch is brought up with the u.s. stock exchange potential purses by chinese company. i hope that reviews come back. that's my opinion as a farmer. earlier this month we learn that 360,000 people have their private information stolen. when the equifax breach happened. that's over 60% of the adults in our state. if the election said anything last time you said many things, the people on the ground, regular folks are tired of folks

getting away with wrongdoings. your answer chairman to the ranking member was inappropriate to comment on the six week delay, the six week delay seems bizarre especially if these folks dump stock and tried to, why would they wait six weeks? >> these are good questions. their valid questions, their questions that the american public should have, in my position as a person who may have to. >> that's why you don't want to, and? you believe these sorts need to be held accountable if there's wrongdoing whether they still have there's position or resigned you will to the full extent of the law to force the law? >> that's my job. >> good. >> i would say that what

transpired here and i'm not your position, but six weeks is way too long. i cannot believe that quite frankly and by the way i know richard smith reside today but i hope you still can come in front of the committee next week. i think it's less of spending time with his family and not spending time with us. they spent six weeks announcing the breach but his resignation papers were signed yesterday, it was announced today. so they can do it quicker if they want to. i hope way forward, will be watching. as far as your fcc's breach, when did that happen in 2016? >> that's part of our ongoing internal investigation. >> you don't know for sure?

>> i don't think we can say for sure. one question asked is whatever defect causes a breach and you said you didn't know what that defect was. i understand but the question is, what is stopping them from doing again? if you don't know what the default this and they breach your system, then they could reach at any time they want. >> it was a defect in a custom piece of software for edgar system. i'm not a computer science expert, spent a long time since i've done programming. my understanding of the landscape is the more custom software's more likely it is to be vulnerable. >> so you're able to cut the custom portion now? >> fair enough. >> so you did say you are in the process of a review that would

involve to determine the scope of the breach of the response to that scope, what is your timeline? >> i can't to be a timeline. i have experience with these investigations. one thing were constrained by is that you have to pull a lot of data to look at it including in terms of scope. >> to feel this is an urgent matter? >> i do. >> so when there's no definite timeline and spend my experience that these things go on forever, i would hope that you as chairman of the fcc will put the screws to these folks to make sure they're getting the job done so we can find out was going on, this is a big deal. >> i will and i have already above the office of inspector general. >> one other thing with dol. the fiduciary rule in senator

scott said you were working together to harmonize those rules, is think about something else i want to confirm that, are you working with the dol so people don't get ping-pong between two rules? >> yes and you anticipate that harmonize role will be out, when? >> this is a priority, everything can't be a priority. >> repression this one. this is the top of my list in that area. >> senator kennedy. >> thank you mr. chairman. he said he found out about the fcc data breach in august of the sure? >> yes or.

>> when did the fcc find out about it? >> in 2016 selected chairman white know about it? >> what happened in 2016 and who knew about it will be the subject of this review of s the office of inspector general, i have no belief here the chair white know about it. >> when you found out about it how did you find out about? >> or division of enforcement had an investigation and that cause them to question whether there had been a breach of our system. and that's the time i launched an investigation. >> when did they raise that question? >> that there may have been a data breach? >> they raced in august of this year. swing did they not raise it at 10:00 o'clock them and call you

at 11 or did they know about it? >> i think they reset promptly upon learning about it. our response to this matter is something concerned about. >> will not blaming you, did chairman white tell you about this breach when she was leaving and say this is something you need to worry about? >> no. i had no indication that chair white had knowledge of the breach. >> will you at some point tell us when the fcc first learned about the breach, not when you're first notified but when they first learned about the breach? >> i've asked them to look into this matter, those are questions i want to know the answer to. >> is there any possibility that

the fcc knew about the breach in 2016 and didn't disclose it? >> i don't want to go there. i want to wait until the facts come out. >> let me ask about the equifax breach. after the company, fax learned about the data breach, several senior executives sold stock. was that insider trading? >> i won't comment on that matter for the reasons i have discussed. >> are you going to investigate it? >> we don't comment on pending investigation including if they are pending. >> when you're not going to ignored are you? >> i'm not ignoring. >> so you're neither confirming

nor denying there is an investigation. >> that's correct. >> and i want to say, the investigation i needed to disclose that one. >> let me put it this way, i'm not suggesting you want investigate but if you decide that investigate let us know so we can investigate? >> i think that's a fair question. >> fair enough and i'm not accusing of anybody of anything. it's more than just a data breach involved. there's the sanctity of the equity markets as well. i think executives are taking the position that they knew nothing, said nothing in this is just a coincidence. that may well be but need to

trust to verify. glad to hear that you're investigating. thank you. >> about out of time. what strikes me and many americans this curious about the credit reporting agencies, i didn't hire them to collect information about me. they don't represent me. they represent business. but i do not hire them to collect this. but then my information is out there somewhere in the dark web. seems to me at some point that something we need to talk about this committee. what the role of the credit reporting agencies play. >> i'm going on too long. thank you mr. chairman.

this is more interesting than practicing law, isn't it? >> some days. >> senator warner. >> let me ago was senator kennedy who said. the whole notion of credit rating agencies and public's ability, we have no ability to adopt into the systems. i'm often asked him a job on the intelligence committee what i think the single greatest one ability this and i think it cyber security. i believe we don't have a whole of government on cyber security. in recent times who seen russia take on an attack in 21 overstates voting systems. we've seen social media platforms being manipulated with false information in the first

shots at least directly related to cyber. i appreciate you coming forward with the recognition of the edgar system breach. this is not in isolation. we've seen other governmental breaches. echo faxes a travesty. the fact that the resignation of the ceos not enough. i understand acknowledging the investigation that your colleagues who also have a process in place where they don't reveal an ongoing investigation, they felt it was so serious that they acknowledge there was an investigation going on in the aquifer speech is so egregious in terms of the

sloppiness and the fact that it was clearly on vulnerability they have no for months. if they put a patch in place they may have included this. then thad insult to injury when it put up to direct consumers after the breach the site was not properly domain registered was known to have vulnerabilities inside itself. so if we don't send a strong message i question whether equifax has the right to even continue providing services with the level of sloppiness and lack of attention to cyber security. this is not the first time, last year 500 million user breach

yahoo do not believe it was materially to even report. my investigation has shown that we've had less than a hundred sy level of cyber would meet that material public. to on a make a comment about what the fcc might be looking at in terms of the standards as it relates to cyber standard? >> i agree with you and i don't think there's been enough disclosure around this profile with respect to cyber security. where are the wrist, what are

the environmen vulnerabilities? if there are breaches than the disclosure of those breaches. i don't think there's been adequate disclosure. >> i know i very interested in it i would like to work with you whether we've had legislative action. i think back in 2014 you created -- which looks at systems. i've prodigy repeatedly both during your tenure this goes to the technical risk standards currently it only applies to stock and option exchanges. clearing agencies in certain

alternative trading systems. we left off dark pools, treasury markets we've had much more disclosure about what market structures were covered then they can vote with their shares only met these minimum standards rather than having this have coverage in half the market not coverage. could you address the question of whether you take a fresh look in terms of expanding to the parts market coverage. >> thank you for your letter which i read leslie. i agree with you. would hate to look at other important venues and or equity market system to see if they

should be reporting on the same basis. also whether the public has enough information about which entities are subject. >> i think it's important to get that information out. then we introduced him to move to areas. >> thank you mr. chair. some of my colleagues have already raised the issue of cyber attack against fcc that targeted the sec's electronic system. i know this occurred before your nomination and confirmation that i like to hear thoughts on what the incident might suggest a better governments posture with regards to cyber security.

it's difficult for an agency to adequately protect against the step of intrusion. and sometimes a level of expertise necessary would help agencies and departments. from what you know about the attack that took place, do you feel like you have adequate resources to protect yourself in the future? does ernie's to be more effort to look at these intrusions in the future? >> i think we need things going forward. the data point i use, other people in my position feel the same way i do, this is a risk to her agencies and markets and the economy that we regulate and oversee. i believe we will need more resources going forward. if you look at the resources

that private actors devote information technology in cyber security, single actors door the amount that we have available to spend. to me that just tells me were out of step. >> if you take a look at the edgar system that will remain in place basically indicated earlier testimony is complex, it's been modified and customized based upon the information you received it makes it more vulnerable than some other types of larger systems that basically a patch is put together for for the public's hands. does have a system coming on board, the cad system the

comprehensive audit trail. i assume the two will be compatible operational at the same time. when that happens you have a huge amount of information found at one location including information about investors, that will remain on the system itself, is it time to say, timeout and to make sure the new system coming on board naturally would go through a vetting process but time to have those opinions to make sure that we've done what we care to protect this data, before we go online and find out that there needs to be more patches. what are your thoughts on this process? >> since i got the commission

and learned more details it's been clear to me that we don't want to be taking data from the cat unless we need it and can protect it. with respect to having a timeout come i don't think a full timeout makes sense. there's a lot of data that exists. we can be collecting that will further our oversight. but we should be examining if we need that data. we can phase in the cat and we should be doing -- we should be doing the kind of critical thinking and how we bring online and how we sequence what we do. >> to have the resource to do that vetting process today? >> that vetting process is a prerequisite. if i don't have it that will be

how it's determined online. >> i understand a certain federal reserve may be causing some concerns that the fcc regulates. will the exchange commission commit to working with interested parties on a solution and make this a priority? >> liquidity in the options ar area, it's not just important for the options market but all of our markets. if there's a liquidity issue it can affect the cash equities market that's important we focus on it. >> i appreciated. thank you. >> thank you mr. chairman and thank you for being here.

in one of your first speeches as chairman you noted there has been quote a 50% decline in the total number of u.s. list of public companies over the past two decades. he said it was a serious issue for markets in the country. he wanted to encourage companies to go public so ordinary investors could get opportunities to invest in emerging companies. use this rationale for arguing that we should review and reduce disclosure burdens on public companies. i want to understand your thinking. you compare the number public companies today with the number of companies in 1996 and 1997. that was ahead of the.com booth.

there's a sharp increase in the number of companies leading up to the 96 and 97 years. a lot of those companies failed over the next few years. leaving mr. and mrs. 4o1401k losing money. when you pick 96 and 97 is your target years for comparison, were you arguing those were the ideal market conditions for ordinary investors? >> i'm happy to pick anytime over the past 20 years. . .

why you want to see more companies going public. a total of 26 billion the

average volume was higher than it was in 1996. nearly triple the total bet of a volume in 1996, so people are investing more money than they did even at the height of the.com boom but not to make money on each of these. why do you care if there are fewer so long as overall they are attracting more investor dollars? i believe this they used to have been here and if you invested in a portfolio of companies that were down here to you as a

retail investor were better off here. have you looked at the data because it shows having fewer but bigger ipos is better for investors they tend to perform better in the long run than in the past when there were more ipos and failures. those investors have done very

well and much better. they are performing better for investors and less likely to wipe investors. it's more than ever before and those companies are doing better for investors because they are more stable when they come to market. loosening the disclosure requirements make life a whole lot more profitable for a handful of bankers and corporate attorneys.

it would make life better for investors and it is investors not bankers and lawyers you were supposed to be watching out for. you said that he reality is thes the core of the system of disclosure. said companies should disclose more i agree. i want to talk more about the risk of climate change and severe weather events in the last 35 years the average number of inflation-adjusted 1 billion-dollar weather events was 5.5 per year in the last five years it has doubled. i know they provided some climate about the disclosure but not much additionally has happened so i want you to talk

about how you view climate change and its materiality as it is becoming increasingly clear that we cannot ignore this impact that they have on publicly traded companies. those two have impacts on companies that shouldn' should e disclosed and they have the weather events are we experiencing increased loss. regulatory responses to those events. do you think they are doing enough to require this disclosure?

>> we have issued guidance around this and a number of areas. we should continue to look at it. i agree there are industries that need to pay close attention to these trends. it states some scientists concluded that the increasing concentrations of greenhouse gas omissions may have the physical effects such as increased frequency of storms throughout and flood the such were to occur

it is uncertain if they would have an adverse effect and at the end one of the strongest atlantic storms shattered over 20% including five refineries owned by valero. they produce 1.1 million euros a day. does it seem like harvey had an adverse affect on the financial condition? it wouldn't surprise me if and events of that type would have an adverse affec effect on the company's financial condition.

do you think the fcc is doing enough to require disclosure from some of the companies it seems to me part of the problem is they don't want to weigh into something that is the subject of some controversy into the other problem is if measures risk that can be measured that is customarily measured and is a relatively new risk into the systems elsewhere in the industry isn't equipped to evaluate this and so what we do is book at a net zero because it is difficult to assess.

climate risk in the financial context is new and so i would ask if 2010 is a long time ago when it comes to our thinking about climate a long time ago when it comes to the fiscal impact on the public and private sector. they are articulating how we are going to quantify the adverse impact of climate change on the industry. they have to abide by some of the same particles that the members of the database are required to abide by. they have previously identified a few weaknesses related to the cyber security protocols.

can you give us an update on how you are addressing those concerns that they've raised at this point and also the other cards around the plan as well. we are not going to take the data unless we needed and we can protect it if the protocols for individuals are not as stringent as they can be. i don't have an answer to that right now. do you know yet whether they are and what do you agree with the conclusion of the?

will you come back to the committee when you get more information? under the jobs act they are permitted secondary offering statements that wouldn't be related until 15 days before and under the leadership this has been extended to companies of all sizes. can you describe the advantages of how to improve the more complicated process? they are transitioning to public companies and we want them to transition. they are better companies when they go through the process.

leading the world to see all of your financial same strategies and risks long before you go public causes some companies to pull back from that. i am very comfortable in think it is a great idea that the above companies to submit that information so that it can be reviewed and we can tell them where they need to improve and then with plenty of time to assess that information to make its public. it's a smart move that does not lessen protection but increases the opportunities investors ha have. >> the conflict middle school. they had a first amendment issue

on how to comply with the injured him and we are now reviewing the rule thank you mr. chairman for your testimony. i want to pick up on some of the questions senator brown asked regarding the materiality. you indicated you thought was whether there had been a material change in the circumstances of the company. and i understand you don't want to get into the situation but you would agree not talking about the company but is in fact there was a material change, it would be wrong for executives of the company to then knowingly trade stocks before they made

any disclosure. so i want to get to what the materiality means because i don't believe the fcc has any definition at least in the context of a cyber security breach. >> i think the definition definitely does apply to the cyber context. there's though standard or definition of how to apply the concept anconcepts and materiala cyber breach. so they don't say if a cyber breach was resolved on the disclosure. there is no prescriptive disclosure. so it's kind of you know it when you see it.

but did they bring this kind of materiality case up for failure or violation? >> we do. let me ask if you would agree that it is wrong for people to knowingly trade on information that is material that hasn't been disclosed would you agree that once a company has decided something is material, their executives shouldn't be trading the stock between the time they decide its material and they filed is sure to the public. >> i think what you are asking is a control issue should there be a control in place. the company has in place a control to prevent.

whether it goes into a control failure >> it seems there should be the presumption that there's been a material change there should be a rule executives to trade the stock doesn't make sense in terms of protecting the market's? most companies have insider policies with controls of the type you are suggesting as an important part of the corporate hygiene.

it's about when you determine the materiality. it seems like a no-brainer that once the company has determined that there's been a change and they notify the public which they have four days to do you would require them not to sell stock. i like the concept. i would put the concept into the trading policies for example it general counsel. those are the type of things. >> there was a study in september, 2015 at columbia law school. and others have done studies that show what they call the trading gap which is that executives have made money

during this four-day period that a decision has been made on disclosure. do you think it is wrong for executives to be making money based on that materiality should there be a rule that once they've made their decision something is material that they shouldn't be allowed to trade during the period? >> thank you, senator shelby. >> chairman, welcome. i missed a lot of the testimony, but he hope this hasn't been one of the questions. in your confirmation hearing,

you agreed at a cost benefit analysis was appropriate and i appreciate your leadership on this issue. what is the fcc doing or trying to do to come forth with the meaningful cost-benefit analysis rule because the rules cost money and sometimes they are really necessary. but we all know and you know in your other life i don't think enough work has been done in the cost-benefit analysis. i agree the cost-benefit analysis is very important in rulemaking should we have the ruble or not have the rule what

are we getting as the cost of that component it's not just yes or no. we want it to be done in the most efficient way possible. >> i know you haven't been there too long but they are glad to see you there. what do you expect to do as far as setting the tone o or the standards down their? >> it is complicated and i like sitting with our economists and i've enjoyed sitting with them discussing these things.

this is an area of interest with me. >> the trend of fewer was mentioned and isn't giving as it should. what is your thought on that without rehashing everything that's been going on over there. it's the water coming into the bathtub i want people to have more choice and it's either

directly by getting stock or mutual funds and access to investment opportunities of the public market i would like retail investors to have more access to those choices looking for a better investment and savings accounts how can we put a lot of that money to work i know you are not the secretary of treasury but wha the treasuro and what your colleagues to does feed right into the economic

growth. the focus for me has been retail investor fraud. that is as important if not more important than increasing the number of opportunities, so we've got to do both. thank you and we like what you're doing. thank you mr. chairman and mr. clayton. before i start with questions i think you and i had a long conversation about a bill that we had that would create a small or full-time business advocate

within the fcc you've moved expeditiously to do that and so i want to acknowledge that help until you are critically important it is that we have that outreach because what you're trying to do in your exchange with senator warren is billed as the opportunity and feed to the next startup that could result in whatever comes along. people think about gambling in las vegas and a lot of them think what you do is about gambling and they think as they go to las vegas there's the whole regulatory body if someone

cheats they are going to get caught or if someone is breaking the system they have a level of confidence they are going to go to jail. i think if you took gambling and use those same guidelines or benchmarks people feel about the equity market i think las vegas would get in a- for soundness and security and fairness. i think the equity markets if we don't respond to this, when the public out there sees executives trading after a material event

and they wouldn't use those languages. they would say here it is again we would have had the shares had we known it but now we are worth 25% less. tell me what we ar you're goingo to convince my retail purchaser that what you are going to do is get it back to a level of confidence. >> i know the people at the commission and i look at those people when we make decisions. that is people make fun of it or not make fun of it that is how i look at what i'm doing and i

know that's what they want to know is we hav have their back d we are policing the companies and looking at what the executive is doing if they are taking unfair advantage in the window of the senator mentioned, that's not appropriate and we are going to do something about it. as far as retail folks go, i also worried about the amount of retail fraud. the amount i see in terms of the enforcement actions discussed me. it's been in the works for sometime we just implemented a new fraud unit because like you, i believe that if the main street investor doesn't think we have their back, we are not doing our job. >> it's not if the main street investor doesn't think that. they don't believe you have her back.

this is what is essential to bring back that confidence and if it is all behind the curtain paying a much attention. people will study it until the next time it happens than they will study it again and we don't have access to that information and we lose money because when that becomes knowledge, when the public knows, guess what happens. the stock tanks and i take the loss while the executives walk away with a big payoff. it just isn't a formula for success and i honestly believe people trust the regulators in las vegas to make sure the slot machine is fair more than they trust you to make sure when they buy equity on your market that they are treated appropriately. >> if that is the case i want to change it. >> i think you need to focus because that is the case. >> thank you senator.

>> thank you mr. chairman. welcome to the committee. i want to focus on some of the challenges that overregulation is putting on smaller businesses and smaller investors. you may be aware of a small business in arkansas that we call wal-mart. somewhat large now. it continues to provide lots of great jobs and everything under the sun. 1970, the wal-mart ipo document 26 pages, 20 if you exclude the financials. i have a document from this last year, 247 pages, ten time the

size of wal-mart. this is one of the reasons why we have so many smaller firms i don't think you can attribute it to the boom from 20 years ago when they've seen a 50% increase over the same time period and they've declined significantly and have gone overseas and that means ultimately small investors, the kind of people that invested in wal-mart made a document that any high school educated person with a bit of business sense could understand and became wealthy over the years as wal-mar has wal-mart go their stock split. they no longer have access to these small companies. they grow increasingly to the private market and get only the most affluent americans, so

without saying private markets are bad, can you please give us a list of steps that you are taking or intend to take that are going to encourage more public offerings in this country? >> one is to allow for the more confidential filings that has proven to be an encouragement for people to consider the public offering process. we have reduced the need to file financial statements that will not end up being part of the public disclosure package to reduce the burden on companies seeking to go public or otherwise using the public markets. the confidential filing process does extend a period of time which allows companies to get secondary liquidity which also encourages them to go public. that's another aspect of it.

on the agenda is our review of the broad disclosure package to try to modernize and enhance it. i want the disclosure package to be just as good and provide just as much investor protection but i want it to be more accessible. we can't have documents that can only be read by lawyers. does anybody read in investment that long besides a lawyer? i know a lot of small mom and pop shops that have made a lot of money off of it and a lot of affordable price quality goods. related the story i want to tell

iisraelis really not that much e than starting that firm today given the regulatory burden it expanded the public oversight to include audits for all broker-dealers registered so that means the six person firm is held to the same standards. the costs have skyrocketed and he doesn't think the quality of the audits were any better. do you think it would be appropriate to have some kind of a threshold for the small firms in the regulatio regulation as e have different standards for community banks?

>> one-size-fits-all doesn't work in a lot of areas. either you are in regulation or you are out. it becomes the question of where do we put those steps. that's how i intend. it's under the existing law.

thank you mr. chairman. i understand they are currently viewing the proposed stock exchange in the chinese company and i don't expect you to comment on the specific transaction but can you discuss the review process? >> the review process is styled as a rulemaking and there was 240 days for a definition of the commission to review the application. that was approved and at the approval like that provides an opportunity to review the approval. they took that reviewing decisions in light of cyber

breaches are you at all concerned that the exchange could expose markets to new risks and vulnerabilities? >> i'm not going to comment on that specific matter before the commission at this time. i am aware of the various issu issues. >> not in regards to this company but just a policy does that concern you that it could expose the market to new risks and vulnerabilities? >> senator, absolutely, not just the four in order that the state actor intrusions and monitoring of our financial markets is an issue that troubles me.

i hope you will consider whether they should disclose the employment data but hopes to determine and to better understand where it has occurred or are you willing to consider the employment disclosure as a part of the broad review of? >> i am willing to consider the guidance and the rest in terms of providing a more accessible disclosure package including areas of unemployment? >> i want to go back to an area that you talked about before they often conduct with the goal of increasing stock prices to impress wall street investors. that has come at the expense of

long-term innovations that would have benefited the country and we've seen it again in recent times where the company used them to make an acquisition and it was immediately in large measure it wasn't going to be the buyback it was just trying to add to the business. they stated they were looking at when and how often they should tell investors about the programs. she was presumably referring to the concept release to solicit the views otheir views on finanl disclosure requirements in the regulation. currently they are reported quarterly. do you think they should be required more than once every

quarter? >> i am not going to comment specifically on something we are reviewing. i am concerned as even you and e discussed i am concerned about this issue and any abuse of stock buybacks. i recognize they have a lot of value in certain circumstances and/or a way to return many well functioning companies see it as a way to return capital to shareholders. many investors engage with companies and the want investor engagement with companies. we can't determine whether their motives were pure or long-term or short-term but there are a lot of considerations that go into this and one thing that does trouble me is short term

interestshort-terminterest looke in this area. >> if you look at what is going on with hedge funds and others i think you will find much of their efforts have nothing to do with company development and strengthening of taking as much out as quickly as possible. thank you mr. chairman. in general do you think companies can do a better job and should they do a better job disclosure and the ris risk andt disclosure documents? >> i don't think the general level of understanding in the market is where i would like it to be and i don't think the disclosure is where it should

be. >> through the regulatory we could shape the disclosure. are you working on a? >> i am. >> there's also a theory i have having watched the agency over several decades in the spire security world it's expensive to stay ahead with technology software and as a result i put in language that allows them to put 50 million in a reserve fund for cybersecurity and other tools. or are you funding this registration piece? you've are physically taking and

depositing it. there wasn't a 100 million-dollar limits put on the fund so you're prepared to go up to $100 million. >> i think we need to spend more money. we made some assessments we went with a flat budget for the next fiscal year and i will not be asking for a flat budget. we need more money in the area of cybersecurity and i intend to ask for it. >> you have a mechanism in this reserve fund it doesn't have to go through any place else.

i would urge you to do that and the other thing is to resist any attempt to. the ability to access the money given the current situation with cybersecurity you have to have the money and i have to agree. >> i agree that the purpose of the fund including being able to make a longer-term commitment is a very good idea. >> let me just go back to the point on these approaches. you make a very thoughtful point of looking in terms of the long run and not quick in and out and

you went back and forth. i've heard of instances where the companies were conducting the stock repurchase is one of the plans were underfunded. i am not aware of any specific situation. >> is that something you would want to look at in the propriety of doing this talk and a commitment to an employee is not filled? >> i haven't thought about that particular question. i would say maybe this is the broad issue of it from the government perspective if somebody is putting a funding obligation in jeopardy by buying

back equity that's a serious consideration for the board of directors. >> would you have the authority to stop the practice by rule >> these are the kind of issues you should be considering because we are committed to the long-term profitability and effectiveness of the companies.

i am sorry i didn't get to hear the opening at the same time but with your indulgence, i want to follow up on the previous hearing and some of the questions we had and see where you are those. as we were dealing with the peak of the crisis, the chair at the time expanded the authority to issue investigative subpoenas in your enforcement division. commissioners had to vote on each and every subpoena and initiated a review of whether they should revert to the prior process for issuing. when i asked about this at the confirmation hearing you said you needed to discuss it with other commissioners and staff. now that you've been there for four months, have you made a decision? >> i have.

there was a time as you noted that the authority rested with the commissioners. that was transitioned to the director of the division of enforcement for efficiency as you cite. later on i was put out to the regional offices and they had the ability to open an investigation. it was pulled back to the code protectors of the enforcement. i've sat with them and discuss this with them whether there was any kind of a sloping down to open matters they are totally comfortablcomfortable that doesd one of them is available. whether the funds would be leaving the country or other reasons i'm comfortable that theruncomfortable but thereisn't

having that authority resting with the two of them. having it with them allows them to more efficiently manage the enforcement division and make sure we don't have somebody in san francisco opening a case in miami. i'm very comfortable that is where it belongs. >> so it's not back at the connection level. >> in our private meeting in the office you said you believe individual accountability has a greater deterrent effect across the market and fun tool to hold individuals accountable is a man thougmemo that was put up by the

previous administration that the attorney generals are looking at right now, rescinding it or weakening its directives to prosecutors. in your view is this consistent with what you've told me in the committecommittee and emphasizet the need to hold individual corporate executives responsible for the corporate misconduct? >> individual accountability in this context has a greater deterrent effect than simply corporate accountability. >> have you thought about what he would do if they resend them in a? >> we coordinate on these matters. i am comfortable that the way

ever division is approaching the matters and looking at individual accountability is correct >> so that is still your emphasis. you criticize enforcement of the corrupt practices act for placing significant cost and president trump criticized than when he was a businessman basically saying it created a disadvantage when they are not able to bribe foreign governments. it's permeating law-enforcement and one analysis found as of september 1 the administration has brought only three of these enforcement actions and two of them each had roots in the obama investigations and at this point

in time during the same time 25 cases had been filed and 17 by the bush administration. can you tell me as the fcc slowing down the investigations and prosecutions or can you explain the numbers to me and implies they are so low? the >> i want to go back to the article that i participated in writing. we need to think about whether we are doing this off on around the world and getting our partners from other countries on board and our other partners have come on board not everywhere but other places and that makes it easier to pursue this type of behavior and have it affected in doing so. >> support is in other countries have had an epiphany code club

fitting and following the law. >> they have upped their game substantially. >> i noticed my time is up. >> i would like to discuss the history of the cybersecurity preaches. can you tell me how many there have been historically at the commission? >> i don't have the data with me today and defining what they preach is. >> who have responsibility for this? >> the office of information technology has overall responsibility. since getting to the commission, i have been reviewing how we handle these matters from an oversight perspective include establishing a cybersecurity

working group including how we share information about risks across the commission. these are areas we need to bring focus to. >> food do they report through? 's >> the office of information technology is pam thiessen and she's a direct report to me and the office of the operating officer. >> how many direct reports to you have? 's >> between 20 and 25. >> is this the first breach that could have facilitated the trading? >> i cannot tell you with 100% certainty that it's the only breach the would have had.

the information could jeopardize in the systemic risks. do you think that there is a breach of >> we don't think that there was personally identifiable information given where it houses a systemic risk. for that iso that is based on ww today and whether there has been a breach where the personally identifiable information was accessed, to my knowledge today i do not know of any o good in this area i cannot give you 100% certainty that that has not

happened. >> you don't think that there has been and is a statement that says it didn't jeopardize information from the commission historically do we know of any that have jeopardized information? >> i know of no historic preaches the jeopardized information but it is of concern to me because he can provide services that are central to the service attack and one of those areas would have material effects across the market system

with other consultants on the project and an extensive list so instead of staying here can i get your commitment that we will get a quick response and acknowledge and advance a lot of it is technical and on. thank you for your indulgence. in a recent speech, the commissioner suggested the company is should be permitted to require shareholders resolves

claims in arbitration and top of the chords for the forced arbitration this is as you know contrary to the best practice and contrary to the stated views on this issue. will they reject the requirements for the companies going public? >> i'm not going to prejudge this issue but i understand it is a staple issue and they are not permitted to have mandatory arbitration but i'm not going to categorically say you would never have a situation where something other than accessing the state for a particular were several particular items is off

the table but i am very cognizant that the ability to go to court. >> i don't know if they articulated this issue's >> we have done so in the context of particular requests in the past there've been requests in the past and there's a long history that i'm there to discuss but i don't think that they articulated a firm view on this issue in the past. >> i was told by staff of the questions for the record are due next tuesday.

we wish you well. meeting adjourned

this hearing is two and a half hours.